Back to top

How to configure the Knox built-in VPN

Last updated February 20th, 2024



  • EMMs
  • Knox Service Plugin
  • Samsung Knox Developer access
  • Fully managed devices running Android 10 and higher
  • Devices with work profiles running Android 10 or 11


Samsung devices contain an enhanced version of the built-in Android VPN client. If you want to use this enhanced VPN Service, you can do so by pushing the Android VPN Management for Knox app and configuring the VPN profile with Knox Service Plugin.

How to download Android VPN Management for Knox

This configuration requires the Android VPN Management for Knox app to allow communication between Samsung’s enhanced VPN framework and the built-in Android VPN client. The app can be found on the Knox Developer Portal.

To download the Android VPN Management for Knox app:

  1. On the Knox Partner Program console, go to Knox Developers.

  2. Under SDK Tools, click SDK Downloads.

  3. In SDK Downloads list, find Android VPN Management for Knox.

  4. Click Download.

    The downloaded zip file contains two apps:

    • GPT_KnoxSettingsVPNPlugin.apk
    • RPT_KnoxSettingsVPNPlugin.apk
  5. In your EMM console, assign GPT_KnoxSettingsVPNPlugin.apk as an internal app in your device’s profile, then push the app to the device.

How to configure the VPN profile

To add a VPN configuration to a Knox Service Plugin profile:

  1. On your EMM console, go to Profile.

  2. Create a new profile or modify an existing profile.

  3. Set the following Knox Service Plugin policies:

    • Device-wide policies > Enable Device policy controlsTrue
    • Device-wide policies > VPN policy (Premium) > Enable VPN controlsTrue
    • Device-wide policies > Name of VPN profile to use — Enter your VPN profile name

For work profiles, the same configuration must be created in Work profile policies (Profile Owner). When configuring VPN policies for a work profile, the configuration can be set up for the entire profile, or for selected apps.

To configure a VPN Profile:

  1. Under VPN Profiles (Premium), create the following configuration (by default, the first configuration is called Configuration 1 ):

    • Profile Name — Enter the same name from the Device-wide policies > Name of VPN profile to use policy.
    • VendorKnox built-in
    • Host — Enter the VPN gateway (server) address.
    • VPN connection type — Select the security protocol that the Knox VPN client uses.
    • Parameters for Knox built-in VPN (for Strong Swan) > Authentication Type — Select the type of authentication that the Knox VPN client uses.
    • Fill the remaining fields depending on your configuration requirements.
  2. Click Save & Assign to save your changes and assign the profile to your device group.

Additional information

Is this page helpful?